Cisco VPN :: ASA5510 - VPN Tunnel Not Connecting
Dec 26, 2011
Our internet connection changed and so did our public IP addresses, I'm trying to re-establish our VPN tunnel with our client, but we haven't be able to get the connection back up even though only 2 IP addresses have changed. Below is my ASA 5510 config file Our WAN from the ISP is: 65.xx.xxx.104/30 and our LAN is: 67.xxx.xxx.128/27, I'm trying to use: 65.xx.xxx.106 as the endpoint and 67.xxx.xxx.130 as the host via the tunnel.
View 5 Replies
ADVERTISEMENT
Feb 12, 2012
Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface. So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.
View 0 Replies
View Related
May 20, 2013
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies
View Related
Oct 1, 2011
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
View 5 Replies
View Related
Apr 26, 2012
I have an asa 5510 that has many(17)ipsec vpn site tunnels on it. One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it. It does appear to be the tunnel only because there is no latency to the internet. I cleared the tunnel group out and readded it to no effect. isp says everything fine. any other known causes for this
View 2 Replies
View Related
Sep 21, 2011
I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. This same tunnel had NO issues prior to the 8.2.4 upgrade.
I thought about trying to disable "inspect FTP,. I am running FTP passive mode on the ASA so I don't believe "inspect FTP" is required.
View 2 Replies
View Related
Feb 7, 2012
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
View 27 Replies
View Related
Dec 3, 2012
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
View 4 Replies
View Related
Mar 28, 2010
I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured. My remote users can access inside LAN servers as well as the Internet from their remote location. What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet? Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall. This will allow the same security as if they were sitting in the office.
View 4 Replies
View Related
Feb 2, 2012
We have a cisco asa5510 firewall, A user at home has a avaya ip phone which connects in on the VPN to the cisco asa5510, for some reason it keep dropping the connection then re connecting on a different IP address(see attached screen shot) thus losing the phone.
View 0 Replies
View Related
Apr 19, 2011
I have two ASA5510 with a peer to peer VPN configuration which is working pretty well.I'm trying to connect to my remote ASA (ASA2) with ASDM on my PC through the VPN on the local ASA (ASA1)I already connected the ASDM to ASA1 through the inside interface but I cant connect to the ASA2 the same way (over the VPN).
When I ping the ASA2 inside interface from my computer, I get the following events:
ASA1:
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built outbound icmp connection
192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Teardown icmp connection
ASA2
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built local-host Corporativo(outside):192.168.1.36
192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Built local-host identity:192.168.2.1
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built inbound icmp connection
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Teardown icmp connection
This is my config in ASA2
ASA Version 8.0(5)!hostname ciscosnqdomain-name chaco.com.boenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.2.10 SNQ-Servername 192.168.1.21 Srvplxaname 10.30.30.30 e-Servername 192.168.1.0 Experion-networkdns-guard!interface Ethernet0/0 nameif Corporativo security-level 0 ip address 10.64.12.6 255.255.0.0!interface Ethernet0/1 nameif ExP_LS security-level 90 ip address 192.168.2.1 255.255.255.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif management security-level 100 ip address 192.168.0.2 255.255.255.0!boot system
[code]....
View 9 Replies
View Related
Nov 25, 2012
I've been labbing on my asa5505 at home, setting up different VPN solutions for testing purposes. However, I can't get my anyconnect client to establish a DTLS tunnel when connecting (anyconnect only shows tls, and does not display any errors about not connecting with dtls)I have set dtls port to 444 and this port is open on the other side.
View 2 Replies
View Related
Oct 8, 2009
I'm replacing my RVS4000 with the RV180 but having VPN connection issues with the RV180. Let me know the VPN tunnels work perfectly fine on the RVS4000.I have configured my RV180 for 3 VPN tunnels. My ISP is Comcast (cable) Business class with a Static IP. First VPN tunnel is to another Comcast ISP and the VPN works flawlessly - connects immediately.Second VPN Tunnel is to Business class ISP (Verizon-NJ) and VPN will NOT connect.Third VPN Tunnel is to Business class ISP (Cox Network-VA) and VPN will NOT connect.I had opened both the RVS4000 and RV180 up on a browser and both settings from the units were idential. I reconnect the RVS4000, VPN tunnels work great, I unplug and reconnect the RV180, the Comcast VPN works, but the other two do not.From what the log is saying "[IKE] WARNING: no phase2 found" and the other says "[IKE] ERROR: remote identifier not found". It has to be something with the RV180 that I'm missing or possibly configuring incorrectly.
View 3 Replies
View Related
Dec 20, 2012
I have a Cisco RV220W updated to latest firmware 1.0.4.17. I have been trying to get a VPN setup for the past few days without success. We had a test VPN up and running previously, but when we changed the IP's and secret key to connect the live VPN tunnel it failed and we haven't been able to get it working since.We have deleted both ends, rebuilt them probably 6 times each. We have changed secret keys, tried 3DES, AES, and AES256 encryptions with SHA-1. All the internal IP settings are correct :IE 192.168.1.1/24 or 192.168.1.1 255.255.255.0,External IP's are right, only oddball thing here is one of the external IP's is assigned by DHCP and is a /22 although the previous tunnel worked with the same ISP.
View 1 Replies
View Related
Feb 12, 2012
I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
View 4 Replies
View Related
Aug 22, 2011
I need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address (192.168.89.1) as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address 192.168.89.1, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.
View 2 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Apr 1, 2012
I connect to my corporate network using Cisco AnyConnect Secure Mobility Client. Once connected I can no longer print to my LAN attached printer and other local resources. I use the Cisco/Lyncsys E4200 router on my LAN and can re-connect to the storage on the local LAN by setting up Port Forwarding of port 21 and MS Windows FTP folder sharing. However, I can't seem to connect to a Terminal Services client by forwarding port 3389. Is there a way to connect to the local LAN after logging into the VPN connection. I can connect to regular HTTP/HTTPS sites and most other type of connectiins, just not my own local resources.
View 3 Replies
View Related
Nov 20, 2011
I want to establish GRE over IPsec tunnel between four branch offices and head office. At branch offices, I have 1841 router with Advanced Security software. At head office, I have a ASA5510 7.2 as frontend with one public IP addres and 1841 router behind it in private address space. Since ASA is not supporting GRE tunnels, can ASA be endpoint for GRE over IPsec? If not, can ASA pass this tunnel to the 1841 router behind it, so 1841 would be logical tunnel endpoint? What should I pay attention? Should both ASA and every 1841 support NAT-T, or just ASA?
View 1 Replies
View Related
Mar 14, 2011
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
View 1 Replies
View Related
Mar 22, 2011
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
View 3 Replies
View Related
Jul 9, 2012
how to configure IPSEC VPN, but unsuccessfully.At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink.
View 7 Replies
View Related
Apr 27, 2011
I haven't come across this before and have been scratching my head about it for the last few hours and need a second (or third or fourth!) pair of eyes here.
I have an ASA5510 at the network edge, an inside interface of 10.1.0.x, a dmz interface of 192.168.1.x
[code]...
View 2 Replies
View Related
Nov 28, 2010
It's my understanding the ASA5510 will do BGP but does it can handle multi hop -BGP?
View 1 Replies
View Related
Jan 19, 2012
Currently we are using a Windows 2003 Server with VPN Sever Role for VPN Access and my users use the built in VPN connection with Windows client. In the past few weeks we upgraded our router/firewall to CISCO ASA5510.
My understanding is that I get 1 or 2 VPN licenses with the Cisco ASA5510 and I would like to configure to test Cisco VPN access. My first question…when I configure the Cisco ASA5510 for VPN (Clientless or via Client), do I need to point the Cisco to my Windows 2003 Server with VPN role on it or the Cisco ASA5510 handles the VPN connection and access?
View 3 Replies
View Related
May 8, 2012
I would like to implement a zone based firewall on my ASA5510. Is ZBF possible on ASA? or is it strictly for routers? I know we've implementd ZBF using Sonicwall firewalls before. A little confused here as to why my ASA doesnt have the right commands.Maybe my version of ASA software is too old? It's 8.2 if i remember right.
View 11 Replies
View Related
Jul 3, 2012
i exported config file from asa5505. i changed this file and i imported in my asa5510. can you tell me that config file allright
View 1 Replies
View Related
Jul 16, 2011
I just moved our vpn over to using LDAP/DAP instead of the previous RADIUS we were using before. First of all, the group policy split tunnel is setup for Tunnel Network list Below Network list has a group of networks named "split-tunnel" setup with all of our internal subnets in it. Which seems to be working fine, users are hitting internal networks no problem.Where the issue lies is surfing the web while they are connected to the VPN.I think I know what one of the the issues are, I'm just not sure how to get around it. I have a proxy server setup that all domain traffic goes through say 10.20.30.40. That is obviously on our internal subnet. Our remote users has a policy on their laptops set to where if they can see/get to the proxy server then it pushes all traffic through there, however if they can not, it goes straight to the internet. That way they can still surf the web when they aren't connected to the domain network.
With the new DAP vpn policies, it seems as though they are trying to go through the proxy but failing so all http traffic is getting blocked on their computer as I can still ping say google.com...just can't open the web page.In my SALES-VPN access lists there isn't any acl that allows any traffic to 10.20.30.40(proxy server) so there isn't any reason their laptop would think it could get to it correct?I can't put an access-list SALES-VPN extended deny ip any any log critical at the end of the acl list because then it doesn't show up as an option to apply to the DAP since the acls have to be either permit or deny, not a mix.Also, if I just create an ACL access-list DENY-VPN extended deny ip any any log critical and apply it to the DAP *after* the SALES-VPN ACLs thinking all traffic would flow down as in go through all the permit acls first, and then hit the deny acl after, it just blocks all traffic.It almost seems that some traffic that isn't specifically being permitted by the permit acls is still getting through which is obviously not wanted. However, if I try to rdp into a server that isn't specifically permitted in the SALES-VPN acls it doesn't work so I'm kind of at a loss..
View 5 Replies
View Related
